Creates or updates a secret in a key vault.
[-VaultName] <String>
[-Name] <String>
[-SecretValue] <SecureString>
[-Expires <DateTime>]
[-NotBefore <DateTime>]
[-ContentType <String>]
[-Tag <Hashtable>]
[-DefaultProfile <IAzureContextContainer>]
[-Id] <String>
[-SecretValue] <SecureString>
[-Expires <DateTime>]
[-NotBefore <DateTime>]
[-ContentType <String>]
[-Tag <Hashtable>]
[-DefaultProfile <IAzureContextContainer>]
[-InputObject] <PSKeyVaultSecretIdentityItem>
[-SecretValue] <SecureString>
[-Expires <DateTime>]
[-NotBefore <DateTime>]
[-ContentType <String>]
[-Tag <Hashtable>]
[-DefaultProfile <IAzureContextContainer>]
The Set-AzKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault. If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret.
$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret
Vault Name : Contoso
Name : ITSecret
Version : 8b5c0cb0326e4350bd78200fac932b51
Id :
Enabled : True
Expires :
Not Before :
Created : 5/25/2018 6:39:30 PM
Updated : 5/25/2018 6:39:30 PM
Content Type :
Tags :
The first command converts a string into a secure string by using the ConvertTo-SecureString
cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString
The second command modifies value of the secret named ITSecret in the key vault named Contoso. The
secret value becomes the value stored in $Secret.
$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
$Expires = (Get-Date).AddYears(2).ToUniversalTime()
$NBF =(Get-Date).ToUniversalTime()
$Tags = @{ 'Severity' = 'medium'; 'IT' = 'true'}
$ContentType = 'txt'
Set-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -SecretValue $Secret -Expires $Expires -NotBefore $NBF -ContentType $ContentType -Disable -Tags $Tags
Vault Name : Contoso
Name : ITSecret
Version : a2c150be3ea24dd6b8286986e6364851
Id :
Enabled : False
Expires : 5/25/2020 6:40:00 PM
Not Before : 5/25/2018 6:40:05 PM
Created : 5/25/2018 6:41:22 PM
Updated : 5/25/2018 6:41:22 PM
Content Type : txt
Tags : Name Value
Severity medium
IT true
The first command converts a string into a secure string by using the ConvertTo-SecureString
cmdlet, and then stores that string in the $Secret variable. For more information, type Get-Help ConvertTo-SecureString
The next commands define custom attributes for the expiry date, tags, and context type, and store
the attributes in variables.
The final command modifies values of the secret named ITSecret in the key vault named Contoso, by
using the values specified previously as variables.
$Secret = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-AzKeyVaultSecret -Id '' -SecretValue $Secret
Vault Name : Contoso
Name : ITSecret
Version : 8b5c0cb0326e4350bd78200fac932b51
Id :
Enabled : True
Expires :
Not Before :
Created : 5/25/2018 6:39:30 PM
Updated : 5/25/2018 6:39:30 PM
Content Type :
Tags :
This command sets or updates the value of the secret named secret1 in the Key Vault named Contoso using the secret’s URI.
Example 4: Create a secret in azure key vault by command Set-Secret in module Microsoft.PowerShell.SecretManagement
# Install module Microsoft.PowerShell.SecretManagement
Install-Module Microsoft.PowerShell.SecretManagement -Repository PSGallery -AllowPrerelease
# Register vault for Secret Management
Register-SecretVault -Name AzKeyVault -ModuleName Az.KeyVault -VaultParameters @{ AZKVaultName = 'test-kv'; SubscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' }
# Set secret for vault AzKeyVault
$secure = ConvertTo-SecureString -String "****" -AsPlainText -Force
Set-Secret -Name secureSecret -SecureStringSecret $secure -Vault AzKeyVault
This example sets a secret named secureSecret
in azure key vault test-kv
by command Set-Secret
in module Microsoft.PowerShell.SecretManagement
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the content type of a secret. To delete the existing content type, specify an empty string.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The credentials, account, tenant, and subscription used for communication with azure
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Indicates that this cmdlet disables a secret.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the expiration time, as a DateTime object, for the secret that this cmdlet updates.
This parameter uses Coordinated Universal Time (UTC). To obtain a DateTime object, use the
Get-Date cmdlet. For more information, type Get-Help Get-Date
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
The URI of the KeyVault Secret.
Please ensure it follows the format: https://<vault-name><secret-name>/<version>
Type: | String |
Aliases: | SecretId |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Secret object
Type: | PSKeyVaultSecretIdentityItem |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies the name of a secret to modify. This cmdlet constructs the fully qualified domain name (FQDN) of a secret based on the name that this parameter specifies, the name of the key vault, and your current environment.
Type: | String |
Aliases: | SecretName |
Position: | 1 |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the time, as a DateTime object, before which the secret cannot be used. This parameter uses UTC. To obtain a DateTime object, use the Get-Date cmdlet.
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the value for the secret as a SecureString object. To obtain a SecureString
object, use the ConvertTo-SecureString cmdlet. For more information, type Get-Help ConvertTo-SecureString
Type: | SecureString |
Position: | 2 |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}
Type: | Hashtable |
Aliases: | Tags |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of the key vault to which this secret belongs. This cmdlet constructs the FQDN of a key vault based on the name that this parameter specifies and your current environment.
Type: | String |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Azure PowerShell feedback
Azure PowerShell is an open source project. Select a link to provide feedback: